Ha bisogno di assistenza? Chieda alla community oppure consulti un esperto.
Vai ad Avira Answers
Virus:Worm/AutoIt.X
Date discovered:10/04/2008
Type:Worm
In the wild:Yes
Reported Infections:Medium
Distribution Potential:Medium
Damage Potential:Medium
Static file:Yes
File size:617.473 Bytes
MD5 checksum:3adfe5101e736d996b27b5d547909477
IVDF version:7.00.03.144 - Thursday, April 10, 2008

 General  Autorun feature


Aliases:
   •  Mcafee: W32/Autorun.worm.g virus
   •  Sophos: Mal/Inet-Fam
   •  Panda: W32/Sohanat.HC.worm
   •  Eset: Win32/Autoit.DB
   •  Bitdefender: Rootkit.19206


Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Downloads malicious files
   • Drops malicious files
   • Lowers security settings
   • Registry modification

 Files It copies itself to the following locations:
   • %WINDIR%\regsvr.exe
   • %SYSDIR%\svchost .exe
   • %SYSDIR%\regsvr.exe
   • %drive%\regsvr.exe



The following files are created:

%SYSDIR%\setup.ini
%drive%\autorun.inf This is a non malicious text file with the following content:
   • %code that runs malware%

%SYSDIR%\28463\svchost.exe Further investigation pointed out that this file is malware, too. Detected as: TR/Spy.Ardamax.J

%WINDIR%\Tasks\At1.job
%SYSDIR%\28463\svchost.001



It tries to download some files:

The location is the following:
   • http://yahoo.com/**********
At the time of writing this file was not online for further investigation.

The location is the following:
   • http://yahoo.com/**********
At the time of writing this file was not online for further investigation.

 Registry To each registry key one of the values is added in order to run the processes after reboot:

  [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   • "Msn Messsenger"="%SYSDIR%\regsvr.exe"

  [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "svchost Agent"="%SYSDIR%\28463\svchost.exe"



The following registry key is added:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
   • "DisableRegistryTools"=dword:0x00000001
   • "DisableTaskMgr"=dword:0x00000000



The following registry keys are changed:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\
   Connections]
   New value:
   • "DefaultConnectionSettings"=hex:46,00,00,00,05,00,00,00,09,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,04,00,00,00,00,00,00,00,80,3C,88,A9,3F,74,CA,01,00,00,00,00,00,00,00,00,00,00,00,00,01,00,00,00,02,00,00,00,C0,A8,6B,64,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
   New value:
   • "Shell"="Explorer.exe regsvr.exe"

[HKLM\SYSTEM\CurrentControlSet\Services\Schedule]
   New value:
   • "AtTaskMaxHours"=dword:0x00000000
   • "NextAtJobId"=dword:0x00000002

[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
   New value:
   • "NofolderOptions"=dword:0x00000000

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
   New value:
   • "GlobalUserOffline"=dword:0x00000000

 File details Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Descrizione inserita da Petre Galan su giovedì 3 dicembre 2009
Descrizione aggiornata da Petre Galan su giovedì 3 dicembre 2009

Indietro . . . .
https:// Questa finestra è criptata per tua sicurezza.